apiVersion: v1
kind: ServiceAccount
metadata:
  name: postgres-operator
  namespace: {{ k8s_postgresql_operator_namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: postgres-operator
rules:
# all verbs allowed for custom operator resources
- apiGroups:
  - acid.zalan.do
  resources:
  - postgresqls
  - postgresqls/status
  - operatorconfigurations
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch
# operator only reads PostgresTeams
- apiGroups:
  - acid.zalan.do
  resources:
  - postgresteams
  verbs:
  - get
  - list
  - watch
# to create or get/update CRDs when starting up
- apiGroups:
  - apiextensions.k8s.io
  resources:
  - customresourcedefinitions
  verbs:
  - create
  - get
  - patch
  - update
# to read configuration from ConfigMaps
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - get
# to send events to the CRs
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - get
  - list
  - patch
  - update
  - watch
# to manage endpoints which are also used by Patroni
- apiGroups:
  - ""
  resources:
  - endpoints
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch
# to CRUD secrets for database access
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - create
  - delete
  - get
  - update
# to check nodes for node readiness label
- apiGroups:
  - ""
  resources:
  - nodes
  verbs:
  - get
  - list
  - watch
# to read or delete existing PVCs. Creation via StatefulSet
- apiGroups:
  - ""
  resources:
  - persistentvolumeclaims
  verbs:
  - delete
  - get
  - list
  - patch
  - update
 # to read existing PVs. Creation should be done via dynamic provisioning
- apiGroups:
  - ""
  resources:
  - persistentvolumes
  verbs:
  - get
  - list
  - update  # only for resizing AWS volumes
# to watch Spilo pods and do rolling updates. Creation via StatefulSet
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - delete
  - get
  - list
  - patch
  - update
  - watch
# to resize the filesystem in Spilo pods when increasing volume size
- apiGroups:
  - ""
  resources:
  - pods/exec
  verbs:
  - create
# to CRUD services to point to Postgres cluster instances
- apiGroups:
  - ""
  resources:
  - services
  verbs:
  - create
  - delete
  - get
  - patch
  - update
# to CRUD the StatefulSet which controls the Postgres cluster instances
- apiGroups:
  - apps
  resources:
  - statefulsets
  - deployments
  verbs:
  - create
  - delete
  - get
  - list
  - patch
# to CRUD cron jobs for logical backups
- apiGroups:
  - batch
  resources:
  - cronjobs
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
# to get namespaces operator resources can run in
- apiGroups:
  - ""
  resources:
  - namespaces
  verbs:
  - get
# to define PDBs. Update happens via delete/create
- apiGroups:
  - policy
  resources:
  - poddisruptionbudgets
  verbs:
  - create
  - delete
  - get
# to create ServiceAccounts in each namespace the operator watches
- apiGroups:
  - ""
  resources:
  - serviceaccounts
  verbs:
  - get
  - create
# to create role bindings to the postgres-pod service account
- apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - rolebindings
  verbs:
  - get
  - create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: postgres-operator
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: postgres-operator
subjects:
- kind: ServiceAccount
  name: postgres-operator
  namespace: {{ k8s_postgresql_operator_namespace }}

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: postgres-pod
rules:
# Patroni needs to watch and manage endpoints
- apiGroups:
  - ""
  resources:
  - endpoints
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch
# Patroni needs to watch pods
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
  - patch
  - update
  - watch
# to let Patroni create a headless service
- apiGroups:
  - ""
  resources:
  - services
  verbs:
  - create
